Cyber Privacy Act not specific enough, opens door to abuse

The recently introduced Cyber Privacy Act has mostly good intentions behind it …

No one likes having their personal information posted online by someone else, and a new bill introduced by House Representative Thaddeus McCotter (R-MI) aims to give users a way to send DMCA-like takedowns in order to get it removed. This bill suffers from some vague language that seemingly opens the door for abuse by those looking to take down criticism instead.

The bill is H.R. 5108, also known as the Cyber Privacy Act. The premise seems innocuous enough—it would allow individuals to ask websites to take down their personal information and, if they don't, the FTC could get involved with potential fines. The devil, as usual, is in the details (or in this case, the lack thereof).

The bill's brief description leaves open the possibility that users could begin sending takedowns en masse—either as a massive, coordinated troll or simply out of their own frustration—in an attempt to target criticism on topics they don't like. In a somewhat extreme (but possible) situation described by the Tech Liberation Front, a group of trolls might start posting a bunch of personal information and then try to overwhelm a website with takedown requests simply because they don't like the site hosting such a discussion in the first place.

Heck, people could post their own information and then send takedown requests about it later. The opportunities for abuse are endless.

The Bureau of National Affairs Tech Law blog has another perspective on the Cyber Privacy Act, noting that the bill's language only specifies websites that "contain" personal information—not necessarily ones that have made that info publicly available. The bill makes no distinction between publicly available information and that provided during a commercial interaction, either. Additionally, it makes no exceptions for sites that should display some level of personal information; the two examples provided are sex offender databases and Whois records on domain names.

The upside is, as Tech Law points out, that there are virtually no supporters for this bill. People reading the text can barely figure out what it's supposed to target, and it's unlikely that such a bill would make it all the way through the system without some major clarification (at least, let's hope not). Besides, a number of websites will already remove your personal information if you just ask nicely. A law enacting a takedown system seems like overkill.

Jacqui Cheng / Jacqui is an Editor at Large at Ars Technica, where she has spent the last eight years writing about Apple culture, gadgets, social networking, privacy, and more.